Has WannaCry Set A Precedent? Enterprises Need to Stay Prepared

The WannaCry virus attack wreaked havoc in mid-May as it hit over 200,000 computers world-wide. The virus affected computers in 150 countries across North America, Europe and Asia, and the attack was the largest ransomware delivery campaign till date.

The National Health Service (NHS) in the UK was affected. Critical medical procedures had to be postponed, hospitals were unable to admit patients, and ambulances had to be diverted to other hospitals. Doctors had to briefly go back to pen and paper. In China, college and university students found their data encrypted by the virus. In Germany, the railway was affected, as was one of the largest mobile companies in Spain, Telephonica. The virus made its way to numerous other industries and businesses around the world.

The WannaCry ransomware, also known as Wanna Decryptor, leveraged a weakness in Windows SMB (Server Message Block) called EternalBlue, which allows remote hackers to hijack a computer running on an unpatched Microsoft Windows operating system. Once infected, WannaCry scans for other unpatched PCs connected to the same local network, as well as for random hosts on the Internet, and spreads quickly. After encrypting data on affected computers, the ransomware asked users to pay anywhere from 300 to 700 bitcoins to decrypt the data. Users were given an ultimatum of three days to pay-up or lose their data.

InfyTalk: After WannaCry, there is much anxiety around virus and hacker attacks. Could you shed some light on how enterprises should respond to such attacks?

Shyam: 2015 and 2016 have seen over a 1000 attacks each . Yes, the scale of this recent attack has been unprecedented and brought the criticality of security back in the limelight. Enterprises cannot afford to respond to a security breach in a reactive manner, and need to have policies that are continuously reviewed, tested, and improved as vulnerabilities are identified. One of the weakest link in an enterprise are its employees. Ensuring they are knowledgeable on the various types of viruses and phishing mails is important. This can be done through awareness programs, which are integrated into the security policy.

If a ransomware is suspected on a system, it should be immediately isolated from the network to stop its spread. And antivirus software with the latest updates should be used to clean the system. If in error, a user does run a file that could contain a potential virus or ransomware, the user should be instructed to quickly disconnect from the network. The virus can be stopped from spreading by shutting down the network and restoring backups.

Viruses and hackers continuously explore and exploit new vulnerabilities in software. Manually monitoring and preventing them is not a viable solution. Enterprises need to invest in technology solutions that can continuously learn and adapt to dynamic situations of threat. At Infosys, we apply machine learning algorithms and AI techniques to immediately detect attempts to breach security. Our solutions find anomalies and correlations across various IT telemetry data in near real-time, like DNS lookups, network flows, proxy lookups, web logs, application logs and others using machine learning algorithms, and automate the isolation of suspected machines for further analysis.

InfyTalk: While WannaCry affected enterprises across industries, do you see any that is particularly more vulnerable than others?

Shyam: Enterprises that do not invest in preventive and predictive IT solutions are vulnerable to virus attacks like that of WannaCry. Enterprises need robust IT solutions that are monitoring their infrastructure and uncovering vulnerabilities. The maturity of implementing security best practices varies by industries. Those industries that have been slow to adopt security best practices have been affected in recent times. Many enterprises in these industries do not have strong security incident handling and response solutions, are slow to install software patches, and protect their assets.

Some of the industries that deal with sensitive data like healthcare are especially vulnerable. In 2016, the industry experienced 450 breaches in the US, almost double from the previous year . 43 percent of these breaches were a result of human error. And these breaches came with a heavy price tag. According to research, each leaked record costs $402 , and when one considers the number of data points related to each individual - social security number, treatment record, payment information and sensitive personal information, a data breach can be potentially devastating to a healthcare enterprise.

InfyTalk: Do you think 'online security' and 'hack-proof' have just been redefined by the Shadow Brokers who stole information from the US National Security Agency (NSA)?

Shyam: Absolutely. The NSA getting hacked only goes to re-iterate that no organization is beyond a malicious breach. An enterprise can have best-in-class security, but it is often the weakest link in the chain that hackers exploit. The way to safeguard against hacking is to adopt a 'defense in depth' policy, wherein all the layers of security are constantly tested to ensure they can withstand an intrusion. Security has to be a collective responsibility. Security engineers need to have SLAs that require proactive monitoring and employees must be made aware of possible vulnerabilities through passive and just-in-time training.

InfyTalk: Data loss is expensive, by way of penalties, regulatory strictures and fines. How do you think enterprises can avert such attacks?

Shyam: Cyber-crimes are slated to cost $6 trillion by 2021 . The solution lies in adopting a proactive, intelligent and comprehensive security management solution. Enterprises should invest in advanced threat detection and prevention solutions which use AI and machine learning algorithms, which can adapt and learn quickly to detect and prevent attacks. A proactive process that focuses on prevention and fast recovery such as installing security updates, disabling unnecessary default settings and taking backups of critical data, is another important aspect. Employees should be trained and sensitized about security best practices like setting strong passwords, and identifying phishing mails.

InfyTalk: What are your thoughts on the ransom being collected in bitcoins?

Shyam: Unlike transactions with credit and debit cards, those with bitcoins are anonymous. This enables the hackers to keep their identity confidential. In the case of the recent ransomware attack victims, were told to deposit the ransom amount in a bitcoin wallet, linked to a bitcoin address . And since these wallets were publically accessible, online viewers could easily monitor the amount being deposited into the wallet. And yet, nobody could know the physical location of the person to whom the payment was being made. This instance highlights the dark side of blockchain, which on the one hand is gearing up for primetime and on the other, its use in the recent ransom case creates a bad use case.

With computing devices increasing and BYOD becoming the norm, enterprises must have stringent policies to protect their network and data. In today's digital economy, it is data that is the true competitive differentiator